Product: Winfrasoft Gateway Appliances
Product Homepage: Click here
Security Appliances are not a new concept to the IT world and have long since been regarded, by many, as a significant instrument in the arsenal of those charged with defending an organization’s environment. Their fit-for-purpose approach lessens the installation and administrative burden of white-box solutions, and the “hardening” of the underlying operating system reduces the device’s overall attack surface. Coupled with this, appliance vendors tend to include additional services and applications that enhance an appliance’s capabilities, improves security and lessens the support overhead of another server in the environment – well, that is what a good appliance solution should do.
Despite the multitude of benefits one gets from appliances, they do have detractors. The most notable issue administrators and security consultants have when discussing an appliance option is that the physical hardware used by typical appliance manufacturers are either simply not up to spec, overpriced, or corporate policy does not allow “proprietary” hardware to be deployed. Furthermore, restrictions placed on opening and upgrading a device have also turned administrators against deploying traditional Windows based appliances.
It was because of these issues that the “readers’ choice” (hosted here at www.isaserver.org) awards annually awarded the best appliance to Hewlett Packard for their ISA Server 2004 appliance, until this year. This appliance has long since been retired and is not available for purchase anymore but, at the time, it addressed customer’s concerns about the hardware and support provided by the vendor; funny how having a world renowned brand name eases concerns. The retirement of this appliance limited the options available within data centres and government organizations as they were forced to resort to white-box installations because internal policies typically restrict the deployment of non-TIER-1 hardware. This became even more problematic for administrators who wanted to deploy Microsoft IAG 2007 as it could not be purchased as software and an appliance was the only deployment option before the release of IAG 2007 SP2.
I was therefore rather happy to hear that our friends at Winfrasoft had created a collection of ISA and IAG appliances which are delivered on HP hardware. Winfrasoft has now partnered with Portcullis Systems to take the “powered by Winfrasoft” solutions to a wider audience, allowing Winfrasoft to focus further on the solution side of the appliance. For those of you not familiar with Winfrasoft, they are Microsoft ISV and Security Gold partners who have released various ISA Server specific applications (VPN-Q, Backup for ISA Server and X-Forwarded-For for ISA Server & IIS) which I have reviewed very positively on this site.
These “powered by Winfrasoft” appliances deliver the best of both worlds, combining the world’s best selling TIER-1 hardware platform and ISA Server & IAG – bundled up with a comprehensive suite of deployment and management software. The appliances use the Generation 5 HP Proliant DL 160, 360 and 380 platforms which are the latest on offer from HP. They are all 64-bit Xeons with 4Gb RAM, and have at least two hard drives, so that they will be ready for easy upgrade to the 64bit only versions of Microsoft TMG and UAG.
As if deploying appliances on TIER-1 hardware is not a compelling argument in itself, Winfrasoft has gone a step further and applied their ISV knowledge to deliver a very solutions focused appliance. Working closely with the native HP hardware redundancy, each appliance also includes Winfrasoft Backup for ISA Server and Paragon Drive Backup 9.0 Server. Combined, these 2 applications allow you to perform multiple full partition, VSS compliant backups, or ISA Server specific configuration & log data backups. These can be scheduled and stored locally or off-box.
Redundancy to this level is often not available on other appliances. Some other vendors only provide a return to factory default configuration and possibly a single last-known good configuration snapshot. This is a good start but this last-known good configuration is typically saved on-box and in some cases requires a shutdown and restart to be performed and thus cannot be scheduled – not exactly enterprise ready. In the case of vendors who supply proprietary hardware, if a catastrophic hardware fault occurs, the only route to repair is a complete box swap-out. This is when you suddenly realize that all your configuration settings are stuck in the now dead box and you need to re-configure the replacement unit from scratch. The need to swap-out complete appliances and not just a faulty part can be all too common as often they typically have a closed box policy which means that any opening of the device voids the warranty.
Like any HP Server, the “powered by Winfrasoft” appliance range are also “open” systems and, provided you use approved HP parts, any hardware replacements are fully supported. This applies to hardware upgrades as well so adding more RAM or another drive is totally fine and does not bump up against any warrantee policy. Finally and probably most importantly, if you already have a bank of HP servers, then these appliances can be slotted straight into your existing management infrastructure; use the integrated Lights-out functionality and expect an engineer on-site if your hardware does goes south. As this hardware support offering is provided by HP, you will get a consistent service irrespective of where you are in the world. With an open-box appliance policy, you can get the best features of both an appliance and “white-box” server in one.
There are 3 appliance solution flavors built by Winfrasoft; IAG 2007 (the first vendor to ship with SP2), ISA Server 2006 SP1 and Websense 6.3.2 on ISA Server 2006 SP1 – called WebControl. The standard Windows 2003 R2 with SP2 operating system and ISA Server configuration have been hardened out the box so you are ready to utilize the devices in your environment right off the bat.
In the case of the WebControl appliance, Winfrasoft worked closely with Websense technical staff to determine and alleviate the 10 most common deployments problems experienced when deploying Websense on ISA Server. This has resulted in a fully integrated Windows based Websense and ISA Server device, with on-box reporting and even the Websense category database – yes, the only Windows based appliance that actually has Websense installed on it. There is even a Websense specific wizard that allows you to sync up your ISA Server settings and change the IP address - a seemingly trivial task but not when Websense is installed on a box. So, no more blocking the block page and no more allowing everything everywhere to get Websense to operate, the wizard does it all for you and keeps the appliance secure. The WebControl appliance will literally get you looking at colourful reports of categorised web sites within minutes of switching it on for the first time. By comparison, other vendors only put ISA Server on the appliance leaving you to spend many hours installing Websense and downloading databases; that sounds more like a white box deployment to me.
What is very apparent about “powered by Winfrasoft” appliances is the simplicity in configuring them. All appliances have Winfrasoft’s Appliance Configuration Wizard installed which allows you to configure the IP addresses for your Internal, External and DMZ networks. It prevents users from inserting 2 default gateways and also sets up DNS properly for you. It has some other neat gadgets too, like the ability to create your own self-signed certificates. Naturally, you can’t use these self-signed certificates for your super-secure PKI deployment, however, it’s a very convenient add-on that allows you to create and test your publishing rules with the correct DNS name upfront before purchasing your real cert.
Apart from the standard HP management agents on all devices, you also have the option to turn on the remote management agent. Again this can be enabled within the config wizard and all appropriate ISA Server firewall rules are automatically created for you so the agent can securely talk to the Internet. The added benefit of this additional management agent is that it allows for virtual-engineer on site, patch management as well as the usual (and not so usual) device integrity reporting and alerting. All this is delivered via a single outbound port which keeps the network security guys happy. Portcullis is offering this as a service called PSAM (Portcullis Systems Appliance Management) which puts the operational know-how behind the management agent.
Portcullis Systems assembled & managed HP based appliances “Powered by Winfrasoft” have breathed new life into the Microsoft security appliance space but it just may be the solution based approach of Winfrasoft that is the most exciting development and is indeed the next evolution in this appliance space. The solution approach is rather evident with the promise of even more to come, both on the current ISA/IAG platform, and also in the TMG/UAG time frame. To top it off, should you wish to evaluate the software build that goes onto the HP hardware, the appliances are also conveniently available in Virtual PC and Hyper-V formats for a 30 day evaluation. An appliance without hardware, interesting…
ISAserver.org Rating: 5/5
Get more information about Winfrasoft